Port monitor doesn't allow both transmit and receive, the problem that I am having is the sensor gives me a false positive of offline, because the sensor can not send out its hey I am alive.
-----Original Message----- From: Leonardo Castex [mailto:[EMAIL PROTECTED] Sent: Thursday, March 20, 2003 4:11 PM To: Jones, Jeff; Paul Van Gurp; [EMAIL PROTECTED] Subject: RE: [ISSForum] SPAN port for IDS monitoring - Cisco switches HI: It's dependt on the IOS running in your Cisco, but we user port monitor without any problem. -----Mensaje original----- De: Jones, Jeff [mailto:[EMAIL PROTECTED] Enviado el: Jueves, 20 de Marzo de 2003 12:46 Para: 'Paul Van Gurp'; [EMAIL PROTECTED] Asunto: RE: [ISSForum] SPAN port for IDS monitoring - Cisco switches One Major problem I have come across is switches running IOS instead of CatOS CatOS span can only receive it can not transmit, it does what it calls Monitor. -----Original Message----- From: Paul Van Gurp [mailto:[EMAIL PROTECTED] Sent: Thursday, March 20, 2003 9:22 AM To: [EMAIL PROTECTED] Subject: [ISSForum] SPAN port for IDS monitoring - Cisco switches Hi all. I am not a network specialist by any means so please be gentle. I am currently attempting to deploy network sensors throughout our infrastructure. Since we have a switched environment, I have 2 options (that I am aware of): * use the SPAN port of a switch for a network IDS * use network taps. Many of our switches have several internal interfaces that I would like to monitor...i.e. one switch will be used for traffic destined for 8 different networks. I would like to be able to plug an IDS into the SPAN port of the switch and get the networking people to configure the SPAN port to accept traffic from port 1, 3, and 8 for example because those are critical network segments. This would allow my IDS to monitor all 3 of those ports at the same time. The network guys say this is not possible and I can only span one port on the switch to the SPAN port. This means using the SPAN port is out of the question for our environment. I went to the Cisco site and it seems that the switches are capable of doing what I want, so I am confused. Question 1: Who is right...i.e. can a SPAN port monitor traffic over multiple incoming/outgoing ports on a single switch? If not then why not? Question 2: If the network guys are right then why is the SPAN port a widely used method of deploying network IDS? Question 3: If the network guys are right, what other options are open to me...I mentioned taps but don't I run into the same issues...1 tap for 1 network segment and so in my example above, I would require 8 taps for the switch with 8 ports. Thanks in advance. Paul _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
